App - System
ELF x64 - Stack buffer overflow - advanced
Getting shell, but under a different user. I’ve used ROPGadget to generate rop
app-systeme-ch34@challenge03: $ (cat /tmp/kekcode -) | ./ch34
..skipped
whoami
app-systeme-ch34
cat .passwd
cat: .passwd: Permission denied
what am i doing wrong?
ELF x64 - Stack buffer overflow - advanced
You need to be app-systeme-ch34-cracked to have read access to .passwd.
So you might want to complete the ROP chain (with the syscall) to set your effective user id right.
See https://en.wikipedia.org/wiki/User_identifier
ELF x64 - Stack buffer overflow - advanced
The effective user id (euid) matches the real user id (ruid) (app-systeme-ch34) instead of being the executable owner’s user id ((app-systeme-ch34-cracked) (see https://en.wikipedia.org/wiki/User_identifier). That means the program dropped its privileged euid and you need to set it right back (it is an extra step in this ROP challenge, quite frustrating after managing everything else, but hey, at least you end up learning new stuff ;) )
Complete your ROP chain to fix that (google how to replicate seteuid() C function with an assembly syscall)
ELF x64 - Stack buffer overflow - advanced
for these challenges, you need to use the dash shell in order for your shellcode to get the cracked user’s privileges.